• @[email protected]
      link
      fedilink
      English
      19
      edit-2
      7 hours ago

      I mean, this kind of stuff was going to happen.

      The more-important and more-widely-used open source software is, the more appealing supply-chain attacks against it are.

      The world where it doesn’t happen is one where open source doesn’t become successful.

      I expect that we’ll find ways to mitigate stuff like this. Run a lot more software in isolation, have automated checking stuff, make more use of developer reputation, have automated code analysis, have better ways to monitor system changes, have some kind of “trust metric” on packages.

      Go back to the 1990s, and most everything I sent online was unencrypted. In 2024, most traffic I send is encrypted. I imagine that changes can be made here too.

    • Ogmios
      link
      fedilink
      English
      6
      edit-2
      7 hours ago

      Because people have forgotten that bad actors exist.

  • Arghblarg
    link
    fedilink
    English
    128 hours ago

    I don’t know much about NPM (having avoided JS as much as possible for my entire life), but golang seems to have a good solution: ‘vendoring’. One can choose to lock all external dependencies to local snapshots brought into a project, with no automatic updating, but with the option to manually update them when desired.

    • @[email protected]
      link
      fedilink
      English
      133 minutes ago

      That won’t prevent typo squatting. This article is a out people wanting to add a dependency to “famousLib” and instead typing “famusLib”.

      What probably help more in Go is the lack of a central repo so you actually need to “go get github.com/whoever…” so typo squatting is a bit be a bit more complicated.

      On the other hand it will be an easy fix in NPM by simply adding a check to libraries names and reject names that are too similar since it’s centralized.

    • @[email protected]
      link
      fedilink
      English
      117 hours ago

      I don’t think that that’s a counter to the specific attack described in the article:

      The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency.

      That’d be a counter if you have some known-good version of a package and are worried about updates containing malicious software.

      But in the described attack, they’re not trying to push malicious software into legitimate packages. They’re hoping that a dev will accidentally use the wrong package (which presumably is malicious from the get-go).

    • @[email protected]
      link
      fedilink
      English
      148 hours ago

      NPM has that as well. In fact most languages and build tools support that. It’s actually rare to not have support for that these days.

      • Arghblarg
        link
        fedilink
        English
        28 hours ago

        Ah, good. I wonder why it isn’t used more often – this wouldn’t be such a huge problem then I would hope. (Let me guess – ‘convenience’, the archenemy of security.)

        • @LiPoly
          link
          English
          33 hours ago

          Because it doesn’t really solve much. After every update of external libraries, do you go through all the diffs to see if there is malicious code? Of course you don’t. And even if you would, it’s not even always possible to spot it. So all locking packages does is postpone the problem to when you eventually update. As an added bonus, you’re now vulnerable to all the legitimate issues that get fixed in those updates you’re not installing regularly.